The latest articles on DEV Community by Abhiroop Santra (@abhiroop43). https://dev.to/abhiroop43 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1195917%2F036aaca9-0f9b-467b-9534-29a9c2bd473f.jpeg https://dev.to/abhiroop43 en Abhiroop Santra Sat, 07 Feb 2026 07:12:58 +0000 https://dev.to/abhiroop43/configure-azure-entra-external-id-authentication-for-blazor-web-app-3mma https://dev.to/abhiroop43/configure-azure-entra-external-id-authentication-for-blazor-web-app-3mma <p>This guide explains how to configure Azure Entra External ID (the successor to Azure B2C) for a Blazor Web App.</p> <p>This guide has been written for Blazor Web Apps with Server rendering, but should be compatible with WebAssembly as well. The .NET framework version is 10 (the latest LTS at the time of this writing).</p> <ul> <li><p>Start with creating a new .NET Blazor Web App with Interactive Render Mode set to server.</p></li> <li> <p>Add the following <strong>nuget</strong> packages to your Blazor Project:</p> <ul> <li>Microsoft.Identity.Web</li> <li>Microsoft.Identity.Web.UI</li> </ul> </li> <li><p>Login to <a href="https://entra.microsoft.com/#home" rel="noopener noreferrer">Microsoft Entra - Microsoft Entra admin center</a></p></li> <li><p>Make sure you are in your default <code>Workforce</code> tenant. You can select <code>Overview</code> then <code>Manage Tenants</code> to ensure you are in the right tenant.</p></li> <li><p>Select <code>External Identities</code></p></li> <li><p>Select <code>External Identity Providers</code> and ensure your preferred providers are configured. For my project, I had kept the default selections.</p></li> <li><p>Select <code>User Flows</code> and add new user flow to allow users to sign up. Make sure the user attributes you need are selected.</p></li> <li><p><em>Optional:</em> Select <code>Domain names</code> and add your custom domain then verify it.</p></li> <li><p>Select <code>App Registrations</code> and create a new app. Select one of the options which allow personal accounts.</p></li> <li><p><em>Optional:</em> In the <code>Branding &amp; Properties</code> section, update the App information with your branding, logo, ToS etc. Also you can update the domain to your custom domain (this will not impact your primary domain in the tenant).</p></li> <li><p><em>Optional:</em> Select <code>Owners</code> and assign yourself the App Owner.</p></li> <li> <p>Select <code>Authentication</code> and add a <strong>Web</strong> Redirect URI. Set it to <code>https://app_base_url/signin-oidc</code></p> <ul> <li>For example: <code>http://localhost:5171/signin-oidc</code> or <code>https://localhost:7215/signin-oidc</code> </li> </ul> </li> <li><p>Select <code>Certificates &amp; Secrets</code> and create a new client secret. Note down the value for later use.</p></li> <li><p>Add the following snippet to your <code>appsettings.json</code><br><br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"AzureAd"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Instance"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://login.microsoftonline.com/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TenantId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"consumers"</span><span class="p">,</span><span class="w"> </span><span class="err">/*this</span><span class="w"> </span><span class="err">is</span><span class="w"> </span><span class="err">for</span><span class="w"> </span><span class="err">external</span><span class="w"> </span><span class="err">users</span><span class="w"> </span><span class="err">authentication*/</span><span class="w"> </span><span class="nl">"ClientId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your_app_registration_client_id"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ClientSecret"</span><span class="p">:</span><span class="w"> </span><span class="s2">"the_secret_you_generated_earlier"</span><span class="p">,</span><span class="w"> </span><span class="err">/*better</span><span class="w"> </span><span class="err">to</span><span class="w"> </span><span class="err">use</span><span class="w"> </span><span class="err">Key</span><span class="w"> </span><span class="err">Vault</span><span class="w"> </span><span class="err">in</span><span class="w"> </span><span class="err">production</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">secrets.json</span><span class="w"> </span><span class="err">during</span><span class="w"> </span><span class="err">development*/</span><span class="w"> </span><span class="nl">"CallbackPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/signin-oidc"</span><span class="w"> </span><span class="p">}</span><span class="err">,</span><span class="w"> </span><span class="nl">"DownstreamApi"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"BaseUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://graph.microsoft.com/v1.0/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"RelativePath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"me"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Scopes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"user.read"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="err">,</span><span class="w"> </span></code></pre> </div> <ul> <li>In <code>Program.cs</code> or where the configuration of the <strong>builder</strong> object is done, add the following snippet. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">services</span> <span class="p">.</span><span class="nf">AddAuthentication</span><span class="p">(</span><span class="n">OpenIdConnectDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">)</span> <span class="p">.</span><span class="nf">AddMicrosoftIdentityWebApp</span><span class="p">(</span><span class="n">configuration</span><span class="p">)</span> <span class="p">.</span><span class="nf">EnableTokenAcquisitionToCallDownstreamApi</span><span class="p">()</span> <span class="p">.</span><span class="nf">AddInMemoryTokenCaches</span><span class="p">();</span> <span class="n">services</span><span class="p">.</span><span class="nf">AddCascadingAuthenticationState</span><span class="p">();</span> </code></pre> </div> <ul> <li>In <code>Program.cs</code> or where the configuration of the <strong>app</strong> object is done, add the following snippet: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> </code></pre> </div> <ul> <li>Add the following lines to your <code>_Imports.razor</code>: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">@using</span> <span class="n">Microsoft</span><span class="p">.</span><span class="n">AspNetCore</span><span class="p">.</span><span class="n">Authorization</span> <span class="n">@using</span> <span class="n">Microsoft</span><span class="p">.</span><span class="n">AspNetCore</span><span class="p">.</span><span class="n">Components</span><span class="p">.</span><span class="n">Authorization</span> </code></pre> </div> <ul> <li>From now on, you can configure any page or component to require authentication and blazor will automatically redirect to the Azure Entra Login Page if the user is not logged in. Here is the snippet that needs to be added to the top of a component or page so that it requires authentication. You can pass the role names as parameters to the <code>Authorize</code> attribute. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">@attribute</span> <span class="p">[</span><span class="n">Authorize</span><span class="p">]</span> </code></pre> </div> <ul> <li>Additionally, you can make use of the <code>AuthorizeView</code> to generate a Login and Logout button for your application or hide the sensitive sections of your app from unauthenticated users.</li> </ul> <p>Here is a project where I have implemented Azure Entra External ID which can be used for reference <a href="https://github.com/abhiroop43/InventoryManagement" rel="noopener noreferrer">Inventory Management System</a>.</p> blazor azure dotnet